Wednesday, July 24, 2013

As many sources reported earlier today, an email claiming to be from CNN's "Scribbler" provided a link to "Watch Live Hospital Updates" of the Royal Baby:

But what do Harrison Ford, President Obama, and Snowden have in common with The Royal Baby?

They were all subjects of fake "CNN Breaking News" stories delivered by spam email today that contained links to a dangerous collection of malware! In the Malcovery Spam Data Mine we had hundreds of copies of emails with subjects including:

To demonstrate the relatedness of the spam, a list of the URLs that were used by each of the four campaigns is listed at the end of this article, labeled either "snowden", "ender", "obama", or "tree" for which campaign advertised that URL. We threw all of the advertised URLs into a fetcher and found that there were two files found in the destinations. The first (from earlier in the day) pointed to two Javascript files that were used to redirect the visitor to an Exploit Kit that would cause malware dropped to their computer. The second (later in the day, and still live as of this writing) pointed to three Javascript files that redirected to a different Exploit Kit site.

I've added spaces to the URLs for your protection, but DO NOT VISIT ANY OF THESE URLS!!!

Adobe Flash Player Update?

After infecting, the website tries to trick the user into "upgrading his Adobe Flash Player", but please notice in the graphic below, I'm not on the Adobe website!

After "installing" my Adobe update, my sandbox went crazy and also fetched malware from each of these locations:

After infection with the second my sandbox went to "deltarivehouse.net / forum / viewtopic.php" (173.246.104.136) which caused a string of additional infections to occur. While the initial infection was Zeus, the well-known Financial Crime malware that steals banking information, but also provides criminals full remote-control capabilities to your computer, the purpose of the additional malware was for another form of money making.

Medfos, one of the malware names given to several of the above, is an "Advertisement redirection" malware campaign. Microsoft did a great job explaining how Medfos works in their blog post, Medfos - Hijacking Your Daily Search on the Microsoft Malware Protection Center blog back in September. Some of the sites that seem to be related to this Medfos install include "bidpenniesforgold.net" (IP: 50.63.25.37) and "webpayppcclick.com" (IP: 85.17.147.34).

According to our friends at Domain Tools, that last IP address is associated with a whole world of "Pay Per Click" fraud domains, including: